Every bank should establish a core team for crisis management, with a clear idea of which functions should have a seat at the table.
By Sepideh Rowland
For centuries, mariners have told stories of rogue or killer waves, many of which sank big ships in mere seconds and heavily damaged others that survived the encounter. Seafarers and oceanographers agree that rogue waves are large, hard to predict and perilous. Financial institutions are like ships at sea, vulnerable to crises that arise unexpectedly. Like a ship struck by a wave, the institution has an urgent need to regain stability. Compliance teams are well-positioned to help right the ship and navigate through the crisis.
Understanding the nature of crises in financial institutions
Crises also could develop quickly from geopolitical developments, such as international conflicts that erupt and trigger the rapid implementation of sanctions.
Other ways crises can arise for financial institutions are through internal or insider risks, and brand or reputational risks. For example, a bank’s policies and practices may exacerbate the risk of insider malfeasance. Fraud and corruption are perennial threats in any organization and they may flourish in a bank due to a lack of effective internal controls. Brand and reputational damage can occur from a variety of sources, including but not limited to:
Liquidity problems/financial contagion. Throughout history and even this year, institutions have faced liquidity crises from depositors making runs on banks, withdrawing funds suddenly. Even though a single institution may suffer a liquidity crisis, depositors’ loss of confidence can become contagious and afflict other banks. Financial panics have occurred multiple times in the United States since the 19th Century—dating to numerous events throughout the 1800’s and 1900’s, and most recently the global financial crisis of 2008-2009.
Cyber events. Hacking and ransomware attacks are among the most common cyber threats that financial institutions face, but even unintentional acts can result in network disruption and loss of confidence in the institution by customers—and, of course, invite regulatory scrutiny.
Data breaches. Not every cyber event may expose sensitive data, but breaches loom large as a business risk. A big reason for that is every state has breach notification laws, and some have thresholds as low as a single record. In addition, data privacy regulations typically carry steep financial penalties
Domestic violent extremism. From attempts to damage or disable power transmission stations, to violent protests and ideologically driven mass shootings, incidents of domestic terrorism or violent extremism have become more frequent. Numerous bank branches were damaged, looted or burned during riots in 2020 and 2021 in various cities.
Internal investigations. When something is amiss inside a financial institution, an internal investigation is usually one of the first steps undertaken to uncover the problem. What is worse than an internal investigation discovering evidence of fraud, or violations of ethics and compliance, that results in costly penalties?
Incidents that trigger internal investigations represent reputational crises for banks, and that damage is multiplied when regulatory authorities find such investigations lacking. When that occurs, the wrongdoing—even if it was the work of an individual or small group of individuals—could be perceived as pervasive, or that it occurred due to the institution’s mismanagement.
Litigation or enforcement actions. Other sources of risk to a financial institution’s brand or reputation are litigation and regulatory enforcement actions. Lawsuits and enforcement actions can be interrelated and causative—the existence of one often will trigger the other. A regulatory enforcement due to a finding of wrongdoing or lack of controls at a bank can be the basis of additional allegations in civil litigation, including shareholder action. Particularly damaging are enforcement actions and lawsuits relating to harm to customers, such as data breaches or deceptive business practices. Recovering from these kinds of crises and restoring customers’ trust can be exceedingly difficult for banks.
Natural disasters. As the frequency and intensity of natural disasters grows, banks may face prolonged disruption of some of their operations. For example, when a major hurricane knocks out power and makes roads impassable, many bank branches and offices may be forced to close—potentially for weeks or longer. Workarounds and digital access may be the only way for banks to serve affected communities, at a time when those customers most need access to their funds.
Manifesting in different channels
Banks can experience a crisis through various channels. These include:
• An increase in customer complaints and even a reduction in deposits
• Negative comments on social media, such as bad reviews and disparaging posts
• Regulatory scrutiny and ensuing media coverage
• Shareholder expectations, which can cause sudden shifts in a bank’s share value or even shareholder litigation.
Financial crises may look somewhat different from those in the past, such as the Wall Street crash of 1929 and the Y2K millennium computer bug panic. But as we have seen with several banks in 2023, institutions are not immune to runs on banks and financial panics today. Not all situations allow institutions the luxury of time to develop and test a plan, or to dedicate staff and resources. Given the increased use of digital payments, the rapid movement of funds can have drastic immediate impact on a financial institution, including causing liquidity and capital risks.
For compliance professionals, knowing where to search for signs of a crisis is as important as understanding how it occurred in the first place. This knowledge will enable the compliance team to inform decision making.
Among hard choices, choose wisely
During crises, financial institutions are often presented with a multitude of complex decisions that can be difficult to navigate. As such, financial institutions should develop plans and processes that allow them to consider their options and choose wisely.
Bad decisions are more likely during periods of extreme stress or where there is a lack of time to gather sufficient information or resources to help make an informed decision. Because of this, banks should strive to have the right information at hand, to guard against compounding the problem that caused the crisis.
When confronting a crisis, a bank’s choices may cascade into additional decisions. Before long, the “decision tree” for an institution’s board and executive leadership may look quite complicated. These choices can include:
- Improvise or go by the book? Institutions should already have crisis management plans and refer to them, even if the crisis is a completely new experience for the bank. Improvisation in emergencies seldom leads to optimal outcomes.
- Handle matters in-house or seek outside help? Some incidents are too complex for a bank to manage by itself, or quickly exceed the bank’s capacity to handle on its own. When that happens, engaging outside compliance and risk management experts is prudent. Before a crisis becomes an existential threat, the institution should seek help from qualified professionals
- Communicate with stakeholders promptly or wait until more information is available? Banks should remember that stakeholders include more than customers and employees. Investors, regulators, suppliers and the communities they serve also are important constituents. Timing of communications with stakeholders matters; transparency and reporting are more important than ever during times of uncertainty. Generally, stakeholders are better served when banks keep them informed rather than postpone updates.
- Conduct layoffs during an economic crunch or wait until uncertainty passes? In the event of a bank run that subsequently results in a massive loss of deposits, the immediate reaction of an institution might be to think of downsizing staff as a means to stay afloat. However, sudden reductions in workforce can further deteriorate a bank’s situation, particularly when they involve crucial compliance functions.
Each decision during a crisis can have long-lasting effects for a bank and its growth strategy. Exceptional circumstances, such as the pandemic, can force banks to quickly redefine business as usual. Suspending policies and taking shortcuts can be tempting, but regulatory compliance is still required. In fact, some regulatory authorities have specific rules for operating during disasters and other crises. Before banks embark on making exceptions to cope with a crisis, they should consult with their compliance teams and outside experts to make sure they can continue to fulfill requirements.
Compliance should lead the dance
In preparation for a potential crisis, banks should proactively involve their chief compliance officer and compliance team in creating a plan of action and response strategy.
There is a good reason for this. Compliance and risk management professionals are accustomed to thinking ahead and developing contingency plans. This mindset can be invaluable when the unexpected occurs, as risk management and compliance do not start at the time a bank realizes it has a crisis. Compliance professionals also have a deep understanding of the regulatory landscape and can become key advisors on regulatory expectations as well as trusted partners to bring in third parties as needed to support remedial activity.
Having up-to-date and accurate information about the organization is imperative for good decision making during a crisis. This information can cover who is on the crisis response team, the cadence and method of communication, and roles and responsibilities of each of the team members. Understanding early who will have what role, such as engagement of regulatory agencies or any external reporting, is valuable to avoid confusion or duplicative work in the chaotic crisis environment. Developing a roadmap on who can gather what internal or external information is key to ensuring that there are clear workstreams defined well in advance. The compliance team should understand the information it has available and be able to provide it easily. This information is necessary for both internal and external reporting and meeting everyday compliance requirements.
Every financial institution should establish a core team for crisis management, with a clear idea of which functions should have a seat at the table. Compliance certainly should be represented, as should risk management, legal, operations and human resources. Involving different functions in crisis management affords the financial institution a diverse set of perspectives and problem-solving approaches.
Solutions for compliance teams to consider
Compliance teams can take several steps in advance to enhance the value they bring to their organizations during times of crisis. Among those steps:
• Plan crisis responses when the waters are calm—before the storm hits. Although you cannot predict the type of crisis, you can define what information each team can access.
• Break down silos. Conduct fact finding and establish collaboration across the institution. Communication becomes critically important, and understanding how best to communicate the regulatory matters is critical.
• Establishing a culture of compliance and leading with a regulatory lens often requires a financial institution to build relationships and get involved early in crisis planning. Having a seat at the table early, prior to a crisis, can help a compliance officer navigate the institution through regulatory issues.
• Provide communication and documentation. Compliance professionals should support the documentation effort to be able to tell regulators and other stakeholders the story of how the organization navigated through the crisis. Often this step becomes an after-thought, and compliance is left piecing the puzzle together in preparation for an examination or regulatory review.
• Survive and thrive. In the aftermath of a crisis, compliance should take the opportunity to learn from the experience and improve the institution’s compliance approach to crisis and enhancing controls to manage compliance related risk. Taking the opportunity to further enhance and evolve compliance controls and training employees is important to demonstrate and incorporate learnings.
Sepideh Rowland is a senior managing director of FTI Consulting (fticonsulting.com) in Washington, D.C.
She has 25 years of legal and compliance experience in financial services. She has deep regulatory and operational knowledge of banking, money services businesses, virtual assets and fintech. In her career, she led compliance or BSA/AML and sanctions functions at respected financial institutions, community banks, and money services businesses. Rowland serves on several advisory boards, including the Association of Certified Anti-Money Laundering Specialists, the ABA/ABA Financial Crimes Enforcement Conference, the American Bankers Association Certified AML and Fraud Professional certification program, and is a member of the editorial board of ABA Bank Compliance magazine. She has a juris doctor degree and is a Certified Community Bank Compliance Officer (CCBCO) as well as a Certified AML and Fraud Professional (CAFP). Reach her at [email protected].
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.